- Tactics
- Privilege Escalation , Persistence
- Platforms
- Windows
- Reference
- attack.mitre.org/techniques/T1546.002
Description
Adversaries may establish persistence by executing malicious content triggered by user inactivity. Screensavers are programs that execute after a configurable time of user inactivity and consist of Portable Executable (PE) files with a .scr file extension.(Citation: Wikipedia Screensaver) The Windows screensaver application scrnsave.scr is located in C:\Windows\System32</code>, and C:\Windows\sysWOW64</code> on 64-bit Windows systems, along with screensavers included with base Windows installations.
The following screensaver settings are stored in the Registry (HKCU\Control Panel\Desktop</code>) and could be manipulated to achieve persistence:
SCRNSAVE.exe - set to malicious PE pathScreenSaveActive - set to ‘1’ to enable the screensaverScreenSaverIsSecure - set to ‘0’ to not require a password to unlockScreenSaveTimeout - sets user inactivity timeout before screensaver is executed
Adversaries can use screensaver settings to maintain persistence by setting the screensaver to run malware after a certain timeframe of user inactivity.(Citation: ESET Gazer Aug 2017)
How GTK Cyber trains on this
GTK Cyber's hands-on training programs cover detection engineering across the MITRE ATT&CK framework, including the Privilege Escalation, Persistence tactic this technique falls under. Our practitioner-led courses focus on building real detections, not just memorizing technique IDs.
Related techniques
- T1037 — Boot or Logon Initialization Scripts
- T1053 — Scheduled Task/Job
- T1055 — Process Injection
- T1068 — Exploitation for Privilege Escalation
- T1078 — Valid Accounts
- T1098 — Account Manipulation
- T1112 — Modify Registry
- T1133 — External Remote Services
- T1134 — Access Token Manipulation
- T1136 — Create Account
- T1137 — Office Application Startup
- T1176 — Software Extensions